credentials.h revision a1401311d1ab56c4ed0a474bd38c108f75cb0cd9
1// Copyright (c) 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ 6#define SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ 7 8#include "build/build_config.h" 9// Link errors are tedious to track, raise a compile-time error instead. 10#if defined(OS_ANDROID) 11#error "Android is not supported." 12#endif // defined(OS_ANDROID). 13 14#include <string> 15 16#include "base/basictypes.h" 17#include "base/memory/scoped_ptr.h" 18 19namespace sandbox { 20 21// This class should be used to manipulate the current process' credentials. 22// It is currently a stub used to manipulate POSIX.1e capabilities as 23// implemented by the Linux kernel. 24class Credentials { 25 public: 26 Credentials(); 27 ~Credentials(); 28 29 // Checks whether the current process has any directory file descriptor open. 30 // Directory file descriptors are "capabilities" that would let a process use 31 // system calls such as openat() to bypass restrictions such as 32 // DropFileSystemAccess(). 33 // Sometimes it's useful to call HasOpenDirectory() after file system access 34 // has been dropped. In this case, |proc_fd| should be a file descriptor to 35 // /proc. The file descriptor in |proc_fd| will be ignored by 36 // HasOpenDirectory() and remains owned by the caller. It is very important 37 // for the caller to close it. 38 // If /proc is available, |proc_fd| can be passed as -1. 39 // If |proc_fd| is -1 and /proc is not available, this function will return 40 // false. 41 bool HasOpenDirectory(int proc_fd); 42 43 // Drop all capabilities in the effective, inheritable and permitted sets for 44 // the current process. 45 bool DropAllCapabilities(); 46 // Return true iff there is any capability in any of the capabilities sets 47 // of the current process. 48 bool HasAnyCapability() const; 49 // Returns the capabilities of the current process in textual form, as 50 // documented in libcap2's cap_to_text(3). This is mostly useful for 51 // debugging and tests. 52 scoped_ptr<std::string> GetCurrentCapString() const; 53 54 // Returns whether the kernel supports CLONE_NEWUSER and whether it would be 55 // possible to immediately move to a new user namespace. There is no point 56 // in using this method right before calling MoveToNewUserNS(), simply call 57 // MoveToNewUserNS() immediately. This method is only useful to test kernel 58 // support ahead of time. 59 static bool SupportsNewUserNS(); 60 61 // Move the current process to a new "user namespace" as supported by Linux 62 // 3.8+ (CLONE_NEWUSER). 63 // The uid map will be set-up so that the perceived uid and gid will not 64 // change. 65 // If this call succeeds, the current process will be granted a full set of 66 // capabilities in the new namespace. 67 bool MoveToNewUserNS(); 68 69 // Remove the ability of the process to access the file system. File 70 // descriptors which are already open prior to calling this API remain 71 // available. 72 // The implementation currently uses chroot(2) and requires CAP_SYS_CHROOT. 73 // CAP_SYS_CHROOT can be acquired by using the MoveToNewUserNS() API. 74 // Make sure to call DropAllCapabilities() after this call to prevent 75 // escapes. 76 // To be secure, it's very important for this API to not be called while the 77 // process has any directory file descriptor open. 78 bool DropFileSystemAccess(); 79 80 private: 81 DISALLOW_COPY_AND_ASSIGN(Credentials); 82}; 83 84} // namespace sandbox. 85 86#endif // SANDBOX_LINUX_SERVICES_CREDENTIALS_H_ 87